Impact on Brand Names

Aberdeen Group's June 2007 study found that the biggest driver pushing companies to comply with the PCI data security requirements is the need to "protect the organization and its brand from the negative consequences of highly publicized data breach disclosures." As the PCI Council's general manager Bob Russo put it, "Nobody wants to be the next company they read about in the papers with a major security breach-it costs their brand."

And if the retail merchants and credit card companies don't take steps to clean up their acts, there's always the worry that federal regulators will. That's why the companies are eager to demonstrate that they can police their payment systems on their own.

Some companies are doing the bare minimum to comply, while others are using the advent of the PCI data security standards as a springboard for launching broader data security upgrade initiatives across their organizations. "We think it's much more than just customer credit card information that we need to protect," said Susan Bush, a spokeswoman for Best Buy.

Among the best in class companies surveyed by Aberdeen Group, almost half-47%—were using PCI as a basis to improve security and ensure compliance with other regulatory requirements. The reason is that many regulations—HIPAA, Sarbanes Oxley, and PCI, for instance—have considerable overlap when it comes to protecting sensitive data.

The CIO's role in all this is key. At many companies, the effort to attain full PCI compliance may be headed up by a chief of data security, or possibly the head of the internal audit department.

But I.T. invariably is involved. "This is usually a pretty big effort at most companies, and the CIO typically is responsible for a lot of projects to get the controls in place," said Laliberte of Protiviti.

And although many of the PCI data security standards are fairly basic, some ultimately require retailers to either upgrade or replace existing systems, particularly older legacy systems.

"One of the biggest challenges is the requirement for data encryption," Laliberte pointed out. "When you have high-volume processing, encryption slows things down." What's more, the PCI standards require encryption of card data not only when it's transmitted, but when it's being stored.

Laliberte cited the example of one nationwide retailer that had to replace all the network equipment in 2,000 stores to meet the PCI security threshold. "Log-in requirements are very strict, and the older equipment simply can't support it," Laliberte said.

Doug Bartholomew is a career journalist who has covered information technology for more than 15 years. A former senior editor at IndustryWeek and InformationWeek, his freelance features have appeared in New York magazine and the Los Angeles Times Magazine. He has a B.S. in Journalism from Northwestern University.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.